79 comments
:

Uh oh. Here we go again with Flash Player being updated via the component update. I just hope it doesn't take days or a week as it did a couple of times last year. Apparently there is a rather nasty Flash exploit squashed this time around so it would be in our best interest to get the update sooner rather than later.

How does this component update work? Any way to force it to initiate, none that I can see, letting the browser check for updates just says everythings up to date. My Flash version is still 14.0.0.125 too.

Pepper Flash is also still at 14.0.0.125 here ... MORE than 12 hours AFTER Crapdobe... err... Adobe released the Flash Player Update for IE and Mozilla based browsers.

Using "chrome://components/", as suggested above, to "force" an update is useless as it doesn't even pick up the Pepper Flash version number next to the button - and the normal updater also doesn't pick up any update.

If Chrome doesn't update Pepper Crash... err... Flash within the next 6 hours I'll tear that pile of a browser finally off my computer and revert to FireChrome... err... Firefox where I can at least install Crapdobe's update (and also get it way faster than from).

Ok, this is idiotic.- Chrome doesn't update the Pepper player, which it preferences silently, so we still have the bad one.- Adobe Air doesn't download an updated Air player from their web page either - they're still sending the old and vulnerable one.

What I did:- using the abilities hidden under the 'details' link atop the chrome://plugins page, I disabled Pepper Flash. Now the normal Flash which auto-downloaded 14.0.0.145 sixteen hours or so before is in use, proved by adobe.com/software/flash/about- removed AIR from this machine, and seeing if there's any reason to have it. Besides the current case, it _never_ auto-updates or informs.

Question: what kind of shops are Google and Adobe running, anyway, that they think it's just fine to have these hazards continuing themselves for all normal users? And in the modern version of no courage at all, silently?

chrome://components shows Pepper-flash as being really old, and not the same as Adobe's about flash player page. Pressing Update does nothing. I have Chrome automatic updates disabled as I manage them centrally so just wondering how this update can happen?

@David Williams: Thanks. But, you know what's really "funny" in all of this?

Reportedly it was a Google Engineer who discovered the current "data stealing" flaw in Adobe Flash, yet that hive of morons is not able to come up with a working distribution mechanism to deploy security updates to each and every client world-wide at the very same time (ther "at the very same time" actually refers to the idiotic staged roll-outs through the Play Store in Android).

Microsoft, in comparison, has done a whole lot of things totally wrong in the past and recently, but their update distribtuion is a prime example of how to do things absolutely right. Hell... even Mozilla has a working update system for the browser.

And since Chrome failed to update Pepper Flash for MORE than 24h AFTER Adobe released the update packages... Google Chrome wiped off my computers for as long as they have no idea what "security" and "update distribution" means; jacking jaws about it in blog articles to vent hot air is not a working security and update deployment strategy.

I have information that chromebook users do not experience those problems. What is happening? How can Google allow this to happen? Browsers won't update. Though I have an option for you guys, for those who didn't switch from chrome to mozilla yet, maybe you should try reinstalling chrome, chrome downloaded from the official website always comes with all the latest components. Anyone wanna try and write a report?)

On my wife's PC plugin has just updated itself, I didn't do anything, the Chrome was opened for like several hours that is it. On my PC plugin is still 14.0.0.125. I decided to just leave my PC with the Chrome opened and wait untill it updates. Guys from Google - SHAME ON YOU!!!You make dozens of people from all around the world vulnerable against threats from the web, because one of you decided to run Flash Update through components update on this Patch Tuesday, without updating version of the Chrome itself. And I bet you guys know about this problem, hours pass one by one, and people still have outdated plugins. And still no action. Google is one of the largest companies in the world with millions $ income, you say security is your number one priority and you can't update a plugin? How is that? This is a disrespect, stupid of you.

Really, this is not the first time time when google runs flash update through components update, and everytime hundreds of coments of unhappy customers. Will somebody give me an explainational of these profoundly stupid acts?Are they just trying to push us to other browsers? Or are they trying to be difficult? Or what?/I am mad as hell!!And I am from the Ukraine! Yeah, I learned foreign language just to let people from Google know how they screwed up!!!LOLNEVER EVER AGAIN UPDATE FLASH OR ANY OTHER PLUGIN WITHOUT ISSUING THE NEW VERSION OF THE BROWSER, COMPONET UPDATE MUST DIE!!!!!!!!!!!!!!

Yeah I am thankfull for releasing a pre-beta(canary) version of 64bit Chrome. Really THANK YOU! All browsers are 64 bit, chrome is the latest, that is just fine, I can survive it. I prayed to God to make you develop 64bit version, and you did it in the middle 2014, wikipedia says 64 bit architecture exists since 1975, 35 YEARS, and now finally, chrome is 64 bit, almost, still need to wait for a STABLE 64 bit version! But after making such a giant step forwad how could you let the Flash Player update through components update again?"It is a silly fish that is caught twice with the same bait"

every flash update the same shit. every andorid the same shit. it's not feasible for google to rollout this to every onetime. even if you try to update manually via chrome://components you will not get the update once. you'll have to wait until google thinks it's ok and you are ready for update.

that a very weak patch deployment strategy. browsers have broken plugins installed for days because google is not able to deploy the plugins in a timely manner. even adobe is faster know.

this is very bad. time to switch to another browser. chrome may be the fastest browser but the concept of deploying updates and component updates is the weakest one!

Someone here said "On my wife's PC plugin has just updated itself, I didn't do anything, the Chrome was opened for like several hours that is it."

Well I've had Chrome open for well over 4 hours now, which is rare since I don't even spend much time on my laptop during the day, so having to keep it on, and the browser open for hours upon hours just to get the security update for Flash is incredibly stupid. And thats it if even worked, because it didn't. Chromes been open for over 4 hours, and the internal Flash plugin is STILL not updated.

This is ridiculous. I had the Flash plugin for Firefox updated within hours of it being announced because I just went to Adobe.com and grabbed it.

For now I guess I will just disable Chrome's internal Flash and make it use the external one thats also installed for Firefox. Does anyone know if that will stop it from updating it tho entirely, when someday that actually happens.

An actual reply from someone at Google or on the Chrome team would be nice to all these commenters complaining, only because they want their browser to be secure, and until that Flash plugin is updated, or disabled, Chrome is NOT secure. This is really making me question whether Chrome even deserves to remain the system's default browser, and if I should remove it entirely from my mother and sister's computers that rely on me to keep them updated and put them both back on Firefox.

Yeah, i left PC working for the whole night today, with chrome open. Nothing. I set the PC to prevent if from automatical shutdown or sleepmode etc.

This is the biggest cybersecurity dissapointment of the July 2014. And what drives me really mad, look noone from google replies. They must be just sitting out there in Google's Office, chilling in a jacuzzi and laughing at us.LOL

I really would like to stick with chrome, because all other browsers are to cluttered. And crome is nice, simple and uncluttered, and it is soon going to be 64 bit even. They should fire the person who issues Flash Update through component updates all the time, and it is just going to be fine.

Gotta agree with the disappointment expressed here. We're in a corporate environment and I've had Chrome running for the last 12 hours and still no update. I was given lots of grief for not wanting to install Chrome on our desktops as I just wasn't comfortable with the security issues, but I finally relented when we ran into a vendor website that refused to run in IE. Now I'm not sure what we're going to do, but to think that we're two days into this and still no updates... All of our IE users were patched on Tuesday. Very troubling.

Yeah, I just removed Chrome and started using IE, and realised that I can't install adblock and web of trust addons on it, I am so used to using the web without adds and when web of trust warns me about website safety. Now what? Mozilla? Mozilla is not 64 bit for wondows anymore, and Chrome promises to be 64 bit starting from version 37. I am in a sort of frustration.

These instructions apply to Google Chrome on Windows, Mac, Linux, and Chrome OS.

Type chrome:plugins in the address bar to open the Plug-ins page.On the Plug-ins page that appears, find the "Flash" listing.To enable Adobe Flash Player, click the Enable link under its name.To disable Adobe Flash Player completely, click the Disable link under its name.

This is unreal. On a system which I have logged in on the Admin account for the past couple of days, I noticed that Chrome updated Flash to the .145 secure version. HOWEVER, on the same exact PC under the standard user accounts, the Chrome installs still show .125 and are not updating. This is the most idiotic thing I've ever seen. There's a fix, but Google won't let you have it.

+Andrew Dz: www.palemoon.org - Pale Moon is a popular fork of Firefox that's also available as a very well working 64-Bit build. The browser is well maintained in terms of security updates; the only recent change is that it does no longer sync with "Firefox Sync" but only with their own Palemoon "Weave sync". This is a result of the forking away from Mozilla's code-base.

Alternatively you can use, at the time of writing, Firefox 33 Alpha. The nightly trunk contains a "win64-x86_64" version (en-US only), but you well better don't consider that one a stable daily driver.

You could also try to use Chromium (chromium.woolyss.com/download/), but that 64-Bit builds are also best considered non-stable.

If you want, or need, a stable 64-Bit browser you best run with Pale Moon.

still no update on a lot of machines here. and the best of all: even if this fucking plugin will update it's done on per user not per system. why to hell can we install this fucking browser systemwide when plugins gets update per user?time to put this fucking browser to the trash and switch back to firefox. they know what they are doing. google becomes more and more a nightmare.

I was tempted to simply take the updated pepflashplayer.dll and replace all instances of the older version of the .dll, but I'm concerned that's not the only file that needs to be updated. I'm also not sure if my Windows 7 version of the .dll is the same exact file for Windows 8 (I have a Win 8.1 system that still has not received the update after leaving it on most of last night).

It would be wonderful if someone from Google would actually post here advising us of the appropriate steps to get updated, but sadly it looks as if they just don't give a ----.

Here's an update. Downloading the installer direct from Adobe (see url above) will work, but with the following caveat. Once installed, you'll now have two flash players available to Chrome that show up in chrome://plugins. The first will be the old .125 vulnerable version. Disable that one and simply use the new .145 version.

Hope this does not happen to often. Had to disable 125 and enable adobe 145 in the interim. I'm with everyone else that believes this "component" route to flash updates (or anything else) is total crap!

I have turned off IE, and installed chrome again. Because even though Chrome team screwed up on this patch tuesday with it's damned components update, I am just so used to using chrome, and chrome is good, fits right in my laptop setup. Surprisingly I didn't have to set it up again after intallation, i just entered my google credentials and my settings, add-ons and bookmarks were there. I wish components update would work as seamless as synch.:) But to my deep regret flash ver. was still 125. I just left chrome open for like 7 hours or so, checked again, and what you think? Still 125. I said to myself, ok, screw it, and just kept browsing, then without a shadow of hope I checked the version, and yes it was 145!! Miracle! Ok my conclusion is, Chrome is a good browser, but guys from google, you want chrome to be number one then listen to the what your customers say, total ignore and disrespect of you, I and and anyone who posted here didn't expect that.

Karen, it sure would be nice to get even one response from Google to this 50+ post thread.

Our Windows systems finally updated (after 5 days of exposure). I'm not sure if it was due to the users repeatedly clicking "check for updates" on the chrome://components page, or them repeatedly re-launching the browser, going to "About Google Chrome", etc., or if the update would have happened on its own.

That leaves Chrome on our Linux systems still running the vulnerable .125 version. Adobe says that .145 is current for Chrome on Linux. See:

what an epic fail. since tuesday google is not able to deploy the flash plugin to anyone. even if you got the update it's only user based not machine base. i hope adobe stops this and start itself to make everthing for all browsers. even microsoft is able to do this in a timely manner. but not google.

This very blog implies that end users need not do anything to be automatically updated to the secure version of Pepper Flash. In fact, this blog refers and links to Adobe's security bulletin, which provides: "Adobe Flash Player 14.0.0.125 installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 14.0.0.145 for Windows, Macintosh and Linux."

Having made this public representation, doesn't Google's legal team think that there would now be a duty on the part of Google to live up to that representation and not instill upon the public the false sense of security? Another question for the legal team assuming the first question would be answered in the affirmative: Do you think that considering the patch has been available for days now yet apparently many (perhaps most?) Chrome users are still vulnerable, that Google has breached its duty, and therefore would be held liable for any damages Chrome users would incur as a result of the breach?

Would love to know Google's attorneys' answer to those questions.

In any event, I think it's clear that Google has acted irresponsibly, and Google's lack of involvement in this thread shows that it really doesn't care about security or its concerned users. Very disappointing since I have relied upon and recommended Chrome to most all my friends, family and colleagues.

I'm actually fortunate in that I hav many computers at my disposal to test. One of the multi-user-account systems has the "Alternate" install of Chrome for all users (see: https://support.google.com/chrome/answer/126299 ), in which the default path to the Pepper Flash .dll is here: C:\Program Files (x86)\Google\Chrome\Application\35.0.1916.153\

When this system's admin account received the update though, it placed the update the the admin account's local AppData, which of course cannot be accessed by the other user accounts.

Thus, I suspect the other user accounts might never get the update. I've manually copied the new 14.0.0.145 pepflashplayer.dll into the appropriate shared directory (overwriting the vulnerable 14.0.0.125 version) and, although chrome://plugins still reports 14.0.0.125, Adobe reports running 14.0.0.145.

I'll let you know if the non-admin account ever updates officially however, I suspect that it will not and that users of the alternate Chrome install cannot at this time rely upon component update system. Would really be nice if someone with half a brain from Google (perhaps someone other than post-and-run Karen Grunberg) can confirm my hypothesis.

This blog post:http://bovitron.com/blogostu/2014/07/10/installing-pepperflash-14-0-0-145-for-chrome-35-0-1916-153-on-slackware-14-1/shows how (on Slackware) to get the PepperFlash version 14.0.0.145 Files from the Beta rpm installer into Chromium for Linux.

I run Ubuntu 14.04, so my route was as follows:

Download the Beta Installer as the rpm package.

Using File Roller or Archive Manager, extract the required files from the rpm package and save the extracted files somewhere (I used my desktop in Unity).

We will need only two extracted files:libpepflashplayer.so andmanifest.json Both are found inside the Chrome Beta installer under./opt/google/chrome/PepperFlash/(Yes, the Top-Level Folder as seen by the Archive Manager is labeled simply ".")

Copy (using gksu Nautilus, as this must be done as Root) the two files needed to both the PepperFlash Nonfree Plugin Folder and the PepperFlash Nonfree Installer Folders (The MAnifest is really only needed in the Instaaller Folder).(/usr/lib/pepperflashplugin-nonfree and /usr/lib/pepflashplugin-installer)

I rebooted and restarted Chromium for safety.

Chromium still displays in chrome:plugins the .125 version number. But when tested at the three Adobe Test Pages, the PepperFlash version was revealed to be the .145 upgrade, just as it should be. All security requirements should now be met, even if Chromium itself doesn't know we have updated PepperFlash.

By Gawd, I wish Google would get up to speed with this issue, but the workaround does work for me.

Save this post in your notes, folks, as I strongly suspect that we haven't seen the last of these "Component Route" updates by a long shot!

Update: My method was incomplete. There's one last cosmetic step to take.

Using any Editor with Root privileges, edit /usr/lib/pepflashplugin-installer/pepflashplayer.sh to read the current version where listed in the file. It only appears once, and it's a short file. Now everything's in sync and up to date.

Chromium now displays in chrome:plugins the .145 version number. When tested at the three Adobe Test Pages, the PepperFlash version was revealed to be the .145 upgrade, just as it should be. All security requirements should now be met, and Chrome itself knows it has had the update.

Zeke... your question "will flash update if it is disabled or in click to play mode?????". Yes, I had pepper 125 disabled and Adobe 145 enabled when I got the update. All I had to do was disable Adobe, enable pepper, and all was fine...

Tired to wait for pepper-flash auto update to ".145" for FIVE days with no success.I've found a method to update it manually:1) Run the chrome portable on-line installer and select the Canary version (because this version comes with pepflash 14.0.0.145)2) When portable installer finishes, uncheck "Run chrome portable" and exit it3) Look inside ChromePortable canary for the folder PepperFlash (containing pepflashplayer.dll & manifest.json) and copy it, for example, to root (C:)4) Now create a shortcut to launch chrome stable (installed or portable version) with this command lines (append it leaving one space after the .exe):--ppapi-flash-path=C:\PepperFlash\pepflashplayer.dll --ppapi-flash-version=14.0.0.145(avoid spaces in folder names)5) Now check if chrome picked up the new pepper flash from...adobe's website:http://www.adobe.com/software/flash/about/or:chrome://plugins/

At the end on my MacBook with 10.9.4 Mavericks my Google Chrome also updated to the actual version 36.0.1985.125 two days ago and now the integrated Flash is version 14.0.0.145 ... But now we know, this component-update never worked!